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In the claims 



Cancel claims 8 V Mv23 v 2$ T 33^ 35, m<i 50 without prejudice or disclaimer. 



Add the following new claims 

1 57. The system of claim 1 wherein the computer readable components are associated 

2 with an application and are stored on a computer readable medium. 

1 58. A system for maintaining security in a distributed computing environment, 

2 comprising: 

3 a policy manager for managing a security policy; and 

4 an application guard for managing access to a transaction related with an 

5 application as specified by the security policy. 

1 59. A system to protect computer systems against unauthorized access for managing 

2 and enforcing complex security requirements in a distributed computer network 

3 comprising: 

4 a policy manager located on a server for managing and distributing a policy to a 

5 client; and 

6 an application guard located on the client, acting to grant or deny access to 

7 various components of the client, as specified by the policy. 

1 60. The system of claim 59 wherein the server is connected via a network to the 

2 client. 
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1 61. The system of claim 59 wherein the server is connected to many clients. 



1 62. The system of claim 59 the server further comprising: 



2 



a central processing unit; 



3 



a Read-Only Memory (ROM); 



4 



a Random- Access Memory (RAM); 



5 



a non-volatile memory; 



6 



an input device; and 



7 



a display; 



8 



wherein the ROM, the RAM, non- volatile memory, input device and display are 



9 connected via a bus. 

r 

1 63. The system of claim 59 wherein the policy manager is a program located on a 

2 server in non-volatile memory. 

1, 64. The system of claim 59 wherein the client contains a program stored in non- 

2 volatile memory for granting or denying access to various components or resources of the 

3 client, as specified by the policy distributed from the server. 

1 05. The system of claim 59 wherein the server includes a non-volatile memory, where 

2 the policy manager is located that specifies the security requirements for applications and 

3 database objects; 

4 said policy contains security rules that describe at least one constraint that 

5 constrains 
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6 which applications a particular user can access and 

7 which objects within an application a user can access. 

1 66. The system of claim 65 wherein the policy manager allows the administrator to 

2 choose whether the constraints are effected by any of 

3 time, 

4 geography, and 

5 - external events. 

1 67. The system of claim 59 wherein the policy is capable of constraining access to 

2 applications and operations within applications. 

1 68. The system of claim 59 wherein the policy is organized into groups and 

2 hierarchies. 

1 69. The system of claim 59 wherein the policy includes access rules, which include: 

2 a grant rule that grants a privilege to a subject on an object under a first constraint; 

3 and 

4 a deny rule that denies a privilege to a subject on an object under a second 

5 constraint. 

1 70. The system of claim 59 the policy manager further comprises 

2 a management station program to operate the policy manager, 

3 a distributor program to distribute local client policies, to clients, 
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4 a logger program to track authorization requests, and 

5 a database management system (DBMS) to maintain policy data files. 

1 71. The system of claim 59 wherein the policy manager further comprises: 

2 an audit log data file to record authorization requests; 

3 an optimized policy data file; 

4 an enterprise policy data file; 

5 an administrative policy data file; and 

6 a local administrative policy data file. 

1 72. The system of claim 59 wherein the policy manager is located within non-volatile 

2 memory. 

1 73. The system of claim 59 wherein the policy manager allows system users to 

2 implement, 

3 analyze, 

4 edit and 

5 update - 

6 a centrally-managed policy. 

1 74. The system of claim 59 wherein the policy includes at least one policy rule 

2 comprising: 

3 1) an object that is to be protected; 

4 2) an access right or privilege; 
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5 3) a global or local user to which the privilege applies; and 

6 4) conditions under which the privilege is granted or denied, wherein the user is 

7 given a choice of types of conditions including 

8 _ whether to use built-in access criteria wherein the user can select 

9 whether to use time of day and 

10 whether to use location, 

11 and 

12 j _ ^Whether to use custom-defined access criteria. 

1 75. The system of claim 59 wherein the policy manager comprises a Graphical User 

2 Interface (GUI) that provides at lest a user- friendly set of menu options or management 

3 services to fully operate the policy manager and control programs that perform at least 

4 navigation, 

5 searching, 

6 distribution, 

7 editing, 

8 querying, and 

9 log viewing. 

1 t 76. The system of claim 59 wherein the policy manager comprises an Application 

2 Programming Interface (API) that at least allows programs to perform the same functions 

3 as a human operator. 
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1 77. A system comprising a computer having a security policy that includes at least 

2 one or more components having at least: 

3 an object, 

4 a subject, 

5 a privilege, and 

6 a condition. 

1 78. The system of claim 77 wherein each object can be an application or an operation 

2 within an application. 

1 79. The system of claim 77 wherein the object is capable of being set to be at least 

2 any of: 

3 an application, 

4 a method, 

5 a web page, 

6 a database table 

7 a file, and 

8 one or more menu items in a graphical user interface. 

1 80. The system of claim 77 wherein the object can be organized into at least an object 

2 hierarchy such that: 

3 if a user is granted a certain privilege on a parent object, then that user is 

4 automatically granted the privilege on all the children objects, and 
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5 if the user is denied a certain privilege on a parent object, then that user is denied 

6 the privilege on all the children objects. 

1 81. The system of claim 77 wherein the privilege is capable of being inherited from a 

2 parent to a child object. 

1 82. The system of claim 77 wherein the subject is capable of being set to be at least 

2 any of: 

3 a user and ■ 

4 a role containing one or more users, 

5 who can at least 

6 access a protected object, and 

7 have access to at least some information in the system. 

1 83. The system of claim 77 wherein the subject is capable of being a user that can be 

2 chosen to be either internal or external to a system. 

1 84. The system of claim 77 wherein the object comprises a list that is capable of 

2 containing one or more users authorized to access the object who can log on to the object 

3 and be authenticated by the object through an external authentication server. 

1 85. The system of claim 77 wherein the system is capable of having the subject be a 

2 user who at least: 
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3 can be maintained separately by one or more components each of which can be an 

4 object or directory server; and 

5 can be extracted from said one or more components to synchronize the 

6 components thereby maintaining their access current. 

1 86. The system of claim 77 wherein components comprise an alias-user who at least 

2 inherits all privileges of a user under certain conditions, thereby facilitating authorization 

3 management by providing fine granularity of control on propagation of a privilege. 

1 87. The system of claim 86 wherein the system is capable of having the alias-user be 

2 created to perform a job function while the user is absent, and inheritance of the privilege 

3 takes effect only when the user is absent. 

1 88. The system of claim 77 wherein a user of the object is capable of being defined to 

2 be local to the object. 

1 89. The system of claim 77 wherein a user can be at least a global user mapped to a 

2 set of local users having at least one local user per object. 

1 90. The system of claim 77 wherein the privilege defines at least one kind of access 

2 that is allowed to the object and includes at least one right to perform a particular action 

3 on the object. 

1 91. The system of claim 77 wherein the privilege is capable of including at least 
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2 a right to execute an application, 

3 a right to download a web page, 

4 a right to query a database table, or 

5 a right to view a menu item. 



1 92. The system of claim 77 wherein the component is capable of being assigned to be 

2 a wild card that is capable of being used at least as a privilege, object, or subject, 

1 93. The system of claim 77 further comprising an access request that includes at least: 

2 a privilege, 

3 an object, and 

4 a subject; 

5 wherein the access request is used by at least a subject to request authorization of 

6 at least a privilege on at least an object. 

1 94. The system of claim 93 wherein the access request at least: 

2 matches a grant rule if the privilege, object, and subject match those in the rule, 

3 and the constraint in the rule is met; and 

4 matches a deny rule if the privilege, object, and subject match those in the rule, 

5 and the constraint in the rule is not met. 

1 95. The system of claim 77 wherein an access request is at least: 

2 denied if 

3 there is a deny rule matching a request, or 
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4 there are no access rules matching the request; and 

5 granted if there are no deny rules matching the request and there is a grant rule 

6 matching the request. 

1 96. The system of claim 77 wherein conditions comprise constraints and the system 

2 having at least facilities for defining constraints as expressions formed from operators 

3 including at least NOT, AND, and OR. 

1 97. The system of claim 77 wherein conditions at least: 

2 are constraints on when the object or the subject can be accessed, 

3 specify requirements on when the access rule is applicable, and 

4 contain options that can be set to be dependent on properties of the object or the 

5 subject. 

1 98. The system of claim 77 wherein the system further comprises facilities for 

2 expressing constraints as at least: 

3 1) relational operations on integers; 

4 2) relational operations on strings; and 

5 3) set operations. 

1 99. The system of claim 77 wherein the system further comprises facilities that allow 

2 the user to define conditions. 
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1 100. The system of claim 77 wherein the system includes an Application Programming 

2 Interface (API) for invoking user-supplied code to evaluate user-defined functions. 

1 101 . A system comprising a computer having a security policy that includes at least 

2 one or more components having at least a set of privileges that includes at least one 

3 privilege that is capable of at least: 

4 being granted to the user explicitly; and 

5 beinggranted to a role which is granted to the user. 

1 102. The system of claim 101 wherein: 

2 the role is a named group of privileges containing at least one privilege that are 

3 granted to at least one user or to at least one other role; and 

4 the at least one user granted to the role is a member of the role. 

1 103. The system of claim 101 wherein the members of a role automatically inherit all 

2 the privileges granted or denied to the role. 

1 104. The system of claim 101 wherein roles are organized into a role hierarchy, where 

2 parent roles are granted to children roles such that: 

3 if a parent role is granted a privilege, then the children roles are automatically 

4 granted the privilege; and 

5 if a role is denied a privilege, then the children roles are automatically denied the 

6 privilege. 
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1 105. The system of claim 101 wherein roles of an object may be defined as being local 

2 to that object. 

1 106. The system of claim 101 wherein the role is at least a global role mapped to at 

2 least a set of local roles, having at least one role per object. 

1 107. The system of claim 101 wherein the system further comprises more than one 

2 role, two of which have memberships that are mutually exclusive with respect to one 

3 another. 

1 108. The security system comprising a policy manager located on a computer system 

2 that includes at least: 

r 

3 a management console or station; 

4 a database management system; 

5 an audit facility; and 

6 a distributor. 

1 109. The system of claim 108 wherein the management station further comprises a 

2 Graphical User Interface (GUI) for creating and customizing rules by system users. 

1 110. The system of claim 108 wherein the management station supports concurrent 

2 rule development by multiple users. 
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1 111. The system of claim 108 wherein the management station includes an application 

2 guard to allow only authorized administrators to operate the management station based on 

3 at least a local administrative policy which provides a set of policy rules specifying which 

4 users are authorized to access management station. 

1 112. A security system comprising: 

2 at least one application guard stored on a computer readable medium and guards a 

3 protected application by preventing unauthorized transactional access to at least a portion 

4 of said application. 

1 113. A security system comprising: 

2 an application guard located within non-volatile memory that is designed to reside 

3 along with each protected application and supports transactional access control by 

4 allowing an application to detect an authorization service and to make authorization 

5 requests at each user interaction, data request, and business-level transaction. 

1 114. The security system of claim 1 13 further comprising a distributor capable of 

2 distributing the application guard on clients throughout an enterprise. 

1 115. The system of claim 1 13 wherein the application guard is integrated into the 

2 application through an application programming interface (API) or authorization library 

3 that allows the application to request authorization services as needed through an 

4 application guard interface. 
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1 116. The system of claim 1 13 further comprising 

2 an authorization engine that processes an authorization request;. 

3 a checker that parses local client policy and stores the parsed local client policy in 

4 Random Access Memory (RAM); and 

5 an evaluator that determines whether the authorization request should be granted 

6 or denied by evaluating the authorization request with the parsed local client policy in 

7 RAM. 

1 117. The system of claim 1 13 wherein the authorization engine comprises plug- ins that 

2 at least allow for additional capabilities to process and evaluate authorization requests 

3 based on customized code. 

1 118. The system of claim 1 13 further comprising a logger where at least: 

2 each authorization request is then recorded in an audit log; and 

3 each authorization request made at a location remote from the logger is 

4 transmitted to the logger via a communication interface. 

1 119. The system of claim 113 wherein the system is capable of implementing at least: 

2 the application guard locally to the application; and 

3 the application guard as a remote authorization service through a remote 

4 procedure call to another server. 
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1 120. A security system comprising: 

2 at least one application guard stored on a computer readable non-volatile memory 

3 medium that is designed to reside along with each protected application and 

4 guards a protected application by preventing unauthorized transactional 

5 access, and 

6 supports transactional access control by allowing an application to detect 

7 an authorization service and to make authorization requests at each user 

8 interaction, data request, and business-level transaction; 

9 wherein 

10 the application guard is integrated into the application through an 

1 1 application programming interface (API) or authorization library that allows the 

12 application to request authorization services as needed through an application 

13 guard interface, and 

14 the system is capable of implementing the application guard locally to the 

15 application and is capable of implementing the application guard as a remote 

16 authorization service through a remote procedure call to another server. 

1 121. A computer readable storage medium having stored thereon a method for 

2 maintaining security in a distributed computing environment comprising the steps of: 

3 managing a security policy via a policy manager; and 

4 managing access via an application guard to a transaction related with an 

5 application as specified by the security policy. 
6 
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7 122. A method for maintaining security in a distributed computing environment, 

8 comprising: 

9 managing a security policy via a policy manager; and 

10 managing access via an application guard to a transaction referenced by an 

1 1 application as specified by the security policy. 

1 123. A method of using a security system comprising: 

2 using ^management station to create or modify a policy rule 

3 distributing the policy rule to appropriate clients via a communication interface 

4 included in the management station. 

1 124. The method of claim 123 further comprises reviewing and reconstructing the 

r 

2 policy rules via a parser to make sure that the policy rules are syntactically and 

3 semantically correct according to a predefined policy language. 

1 125. The method of claim 123 further comprises determining via a differ-program the 

2 changes were made to optimized the policy, and wherein the step of distributing then 

3 distributes only the changed policy rules or local client policy to the appropriate 

4 application guards, which. enforce access control to local applications and data. 

1 126. The method of claim 123 wherein each application guard has its own specific 

2 local client policy. 
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1 127. The method of claim 123 further comprising optimizing via the distributor an 

2 administrative policy into an optimized administrative policy or local administrative 

3 policy for use with an application guard in the management station. 

1 128. The method of distributing at least one security policy rule comprising: 

2 passing the policy rule through at least 

3 a DataBase layer (DB layer) and 

4 _ /-an Open DataBase Connectivity layer (ODBC); 

5 and 

6 storing the policy rule as an enterprise policy. 

1 129. The method of claim 128, wherein: 

2 the DB layer formats the policy rules into standard database storage tables, and 

3 the ODBC provides a common interface to various vendor-specific databases. 

1 130. The method of claim 128 wherein the distribution occurs through the ODBC layer 

2 and a communication interface. 

'* 1 131. The method of claim 1 28 further comprising passing the enterprise policy to a 

2 distributor. 

1 132. The method of claim 128 further comprising determining via an optimizer 

2 program within the distributor which application guard needs to receive the policy rules. 
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1 133. A method of configuring a security system comprising: 

2 installing a policy manager on a server including 

3 installing 

4 a management station, 

5 a distributor, 

6 a logger, and 

7 , ' ' a DataBase Management System (DBMS); 

8 entering a set of policy rules 

9 installing application guards and local client policies onto client systems; and 

10 registering plug-ins into the application guards to allow for additional capabilities 

1 1 in order to process authorization requests based on customized code. 

r 

1 134. The method of claim 133 wherein the step of entering includes presenting an 

2 administrator with the choice of whether to use a policy loader or management station to 

3 enter the policy rules. 

1 135. The method of claim 133 wherein 

2 if the administrator chooses to use the management station, then the step of 

3 entering includes using an edit function to enter the policy rules, and 

4 if the administrator chooses the policy loader, then the step of entering 

5 includes entering the policy rules into a file, and 

6 passing the file to the policy loader. 
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1 136. A method of managing policy under management services in a management 

2 station comprising: 

3 an authorized administrator logging into a policy manager; 

4 the authorized administrator chooses between administrative mode to manage 

5 administrative policy or enterprise mode to manage enterprise policy; 

6 presenting the administrator with menu options including 

7 navigate tree, 

8 - ^analyze policy, 

9 edit policy, 

10 distribute policy, 

1 1 view audit log which is a security feature that allows an administrator to 

12 view and track authorization requests have occurred at an application guard 

1 3 connected to a system/and 

14 exit. 

1 137. The method of claim 136 wherein menu option navigate tree provides a set of edit 

2 options for an administrator that include to 

3 add, 

4 delete, and 

5 modify features; 

6 wherein the administrator is presented with a choice of features on a server and on 

7 a client. 
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1 138. The method of claim 136 wherein the features that the administrator has the 

2 option apply the edit options include 

3 global users, 

4 global roles, 

5 directories, 

6 local roles, 

7 local users, 

8 applications, 

9 application guards, and 
10 declarations. 

1 139. The method of claim 136 wherein the menu option analyze policy allows an 

r 

2 authorized user to analyze and view rules and policies within enterprise policy. 



The method of claim 136 wherein the user is presented with an option to 
search rules, and 
to query policy. 



1 141 . The method of claim 140 wherein if search rules is selected, the administrator is 

2 presented with options of searching grant rules and all the deny rules pertaining to a 

3 particular user. 

1 142. the method of claim 140 wherein if query policy is selected, a search can be 

2 made on who is granted or denied what privilege on which objects under what conditions. 



1 140. 

2 
3 
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1 143. The method of claim 140 wherein the menu option edit policy presents an 

2 authorized user with the option to add, delete, and modify enterprise policy features. 

1 144. The method of claim 143 wherein the features that may be edited include 

2 a rule set, 

3 access, 

4 a privilege, 

5 an objects, 

6 an user 

7 a role, and 

8 an attribute. 

r 

1 145, The method of claim 136 wherein the menu option distribute policy includes 

2 distributing the new features of a newly entered or modified enterprise policy to 

3 appropriate application guards. 

1 146. The method of claim 136 wherein upon selecting the distribute policy option 

2 a distributor optimizes enterprise policy; 

3 a differ program computes a difference between a newly optimized policy and a 

4 former optimized policy; 

5 the newly optimized policy is then published as optimized policy in DBMS; 

6 committing only the changed portions of the newly optimized policy to an 

7 appropriate application guard; 

8 the. application guard receives the newly optimized policy; 
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9 the application guard merges the newly optimized policy into local client policy; 
10 and 

11- the local client policy is activated to work with the application guard. 

1 147. A method of granting client access authorization comprising: 

2 using an application guard that includes at least 

3 requesting access to a software securable component associated with an 

4 application protected by an application guard, wherein the application guard 

5 constructs and issues an authorization request, and 

6 evaluating the authorization request via the application guard according to 

7 its local client policy to determine whether to allow or deny the authorization 

8 request; and 

9 an audit records the authorization request in an audit log; 

10 wherein 

11 if there is an error in the authorization request, or if the request is 

12 not valid, then the user is denied access; 

1 3 if the authorization request is valid, then a determination is made 

1 4 whether access should be granted, and 

15 if the evaluated authorization request does not deny access 

16 for the user, then access is allowed, and 

17 if the evaluated authorization request denies access for the 

18 user, then access is denied. 
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1 148. The method of claim 147 wherein evaluating the authorization request includes an 

2 evaluator searching deny rules in local policy 

3 if the evaluator finds a deny rule, then an evaluation is performed on any 

4 constraints on the deny rule 

5 if the evaluation finds a presently valid constraint on the deny rule, 

6 then access is denied, and 

7 if the evaluation finds that all constraints on the deny rule are not 

8 presently valid, then a search for a grant rule is performed; 

9 and 

10 if no deny rules are found, then a search for a grant rule is performed; 

1 1 wherein after a search for a grant rule 

12 if no grant rule is found that would allow access for the user, then 

13 access is denied, and 

14 if a grant rule is found, then an evaluation is performed on any 

15 constraints in the grant rules wherein 

16 if the evaluated constraint is presently valid, then access is 

17 allowed, and 

18 if the evaluated constraint is not presently valid, then access 

19 is denied. 

1 149. A method for securing a computer system comprising: 

2 guarding a protected application by using an application guard to prevent 

3 unauthorized transactional access. 
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1 150. A method for providing a security system comprising: 

2 providing at least one application guard that is storable on a computer readable 

3 medium and guards a protected application by preventing unauthorized transactional 

4 access to at least a component associated with the application. 

1 151. A method for updating a security system comprising: 

2 updating a set of policy rules containing at least one policy rule in a central 

3 location; , , .>../ •- 

4 generating changes to the set of policy rules resulting from the updating step; and 

5 distributing the changes to the set of policy rules. 

1 1 52. The method of claim 1 5 1 wherein the policy rule contains entitlement information 

2 related to at least one resource. 

1 153. The method of claim 1 5 1 wherein the policy rules are stored in a database table. 

1 154. A method for establishing a security system comprising: 

2 establishing a set of policy rules containing at least one policy rule in a central 

3 location; and 

4 distributing the set of policy rules for enforcement. 

1 155. The method of claim 154 wherein the policy rule contains entitlement information 

2 related to at least one resource. 
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156. The method of claim 154 wherein the policy rules are stored in a database table. 
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